DigiDoc4 Client is an application for digitally signing and encrypting documents; the software includes functionality to manage Estonian ID-card - change pin codes etc.
When a signature container contains an OCSP response that contains validity status of a different certificate serial number than the signatory's certificate included in the signature, DigiDoc4 client shows an error "Signature is unknown" and technical information section wrongly reports that certificate status is unknown (while the status is "Good"). However, it should show "Signature is not valid" with an appropriate description in the technical information section (e.g., "OCSP response does not match signatory's certificate").
This should be in open-eid/libdigidocpp.
OCSP can contain 1 to N references to certificates (rfc6960).
If we cannot find suitable reference to certificate in OCSP then it is classified to UNKNOWN status.
When a signature container contains an OCSP response that contains validity status of a different certificate serial number than the signatory's certificate included in the signature, DigiDoc4 client shows an error "Signature is unknown" and technical information section wrongly reports that certificate status is unknown (while the status is "Good"). However, it should show "Signature is not valid" with an appropriate description in the technical information section (e.g., "OCSP response does not match signatory's certificate").
Test .asice file attached. forgery7.zip